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Abstract. We obtain nontrivial estimates of quadratic charac- 
ter sums of division polynomials \I'„(P), n — 1,2,..., evaluated 
at a given point P on an elliptic curve over a finite field of q ele- 
ments. Our bounds are nontrivial if the order of P is at least 5^/^+^ 
for some fixed e > 0. This work is motivated by an open question 
about statistical indistinguishability of some cryptographically rel- 
evant sequences which has recently been brought up by K. Lauter 
and the second author. 



1. Division Polynomials and Character Sums 

Let E be an elliptic curve over a finite field ¥q of characteristic p > 3. 
Denote by E{¥q) the group of points of E defined over Fg. We refer 
to [9] for background on elliptic curves. 

Let be the n-th division polynomial for positive integers n. For 
a given point P G E(¥g), the sequence \I/n(-P) is often called an elliptic 
divisibility sequence. It satisfies the following recurrence relation [9l 
Exercise 3.34] 

(1) + %+j{p)%-j{p)^H{pr 

+ ^,+,(p)*,_,(p)^,(p)2 = 

By definition, "^niP) = if and only if [n]P = 0. Further, the 
sequence \I/„(P) is necessarily periodic with some period T and T is al- 
ways a multiple of the order of P (see Lemma [T]below). For background 
on elliptic divisibility sequences, see [2| [TH [T2]. 

Note that elliptic divisibility sequences can be viewed as a generali- 
sation of Lucas sequences. We recall that Lucas sequences (of the first 
kind) are sequences satisfying a recurrence of the form 

Ln = dLn-l + bLn-2, Lq = 0, Pi = 1, 
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in given coefficients a and b. Lucas sequences, including Fibonacci num- 
bers, satisfy ([T]) after an appropriate scaling (multiplication of the n-th 
term by A" ~^ for some A); see [U Exercise 3.34] and [121 Section VI]. 

In this paper, for a fixed point P G E{¥q), and an integer N < T, 
we obtain nontrivial estimates of sums of the form 

TV 

Sp{N) = Y,X{^n{P)), 

n=l 

where x is the quadratic character of ¥q (as usual, we set x(0) = 0). 
Character sums with linear recurrence sequences have been studied 
in P]. See also PJ Chapter 5] for a survey of estimates of exponential 
and character sums with various recurrence sequences. However, to 
our knowledge, for elliptic divisibility sequences no results have been 
obtained prior to this work. 

2. Motivation 

This question also has a cryptographic connection. In |^ the fol- 
lowing elliptic divisibility sequence residue problem has been consid- 
ered: given two points P,Q E E(¥q) such that Q G (P), Q ^ O and 
ord(P) > 4, calculate x(^fc(-P)) for the smallest positive h such that 
Q = [k]P. To find k given the points P and Q is the well-known el- 
liptic curve discrete logarithm problem and its assumed difficulty is the 
basis of elliptic curve cryptography. To solve the residue problem it 
certainly suffices to solve the discrete logarithm problem. However, it 
may be possible to solve the residue problem without first calculating 
k. It is shown in |5| Theorem 1.1] that solving either of these problems 
in subexponential time leads to a solution of the other in subexponen- 
tial time. For perspective, the calculation of x(\Effc+i(P)/^fc(P)) takes 
only polynomial time from P and Q, and does not reveal k, see [5l 
Section 8]. This has raised the general question of what can be said 
about the residuosity of \E'„(P). More specifically, it has been shown 
in [5] that the difficulty of a certain distinguishability problem of cryp- 
tographic interest depends on the bias between the quadratic residues 
and nonresidues amongst consecutive terms of the sequence \E'„(P), 
n = 1, . . . ,N, which is in turn is equivalent to estimating the sums 
Sp{N). 

3. Prerequisites concerning division polynomials 

We recall some classical results, the first of which describes the ratio 
^„+,(P)/^„(P). 

By [TOl Theorem 8] (see also [121 Theorem 8.1]), we have: 
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Lemma 1. Let P G E{¥q) he of order r > 3. Then for all positive 
s,k E Z, 

where a and b are given by 

^r-l{P)^2{Py ^r-2{P) ' 

Furthermore, by [lOl Lemma 6], we also have: 
Lemma 2. Let n and m be positive integers. Then 

We remark that in general, for P G E{¥q) of order r > 3, the period 
T of the the sequence ^I/n(P) may be as large as r(g — 1), see [101 
Corollary 9]. In turn, r can be of order q as well, for example, if P is 
a generator of the cyclic group of points. 

However, the following result, that is immediate from Lemma (H 
shows that the sequence x (^n(-P)) is of smaller period. 

Lemma 3. Let P G E{¥q) be of order r > 3. Then the sequence 
X (^n(-P)) ^-5 periodic with period which is a divisor of R = 2r. 

Thus, we see from Lemma [3] that bounds of character sums Sp{N) 
are of interest only for the values oi N < R = 2r. 

4. Prerequisites concerning character sums 

It is well-known that for an elliptic curve E over ¥q we have 

E{¥q) ~ Z/MZ X Z/LZ 

for unique integers M and L satisfying L \ M. The point P and Q are 
called echelonized generators if P has order M, Q has order L and any 
point of E{¥q) can be written in the form mP + iQ with 1 < m < M 
and 1 < ^ < L. 

Let Q = }lom{E{k),C*) be the group of characters on E{k)] this is 
given explicitly by 

Q = {eM{am)eL{be) : < a < M, < 6 < L}, 

where for a positive integer K, we define 

gk{z) = exp {2711x1 K) . 

The following multiplicative analogue of a result of [1] is essen- 
tially [1, Proposition 1], which in turns comes from [6] (note that in [1] 
it is formulated only for prime fields but the proof extends to arbitrary 
fields without any difficulties). 
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Lemma 4. Let rj be a non-principal multiplicative character on ¥*. 
Let K = ¥q{E) be the function field of an elliptic curve E over ¥q, and 
f ^ K be of degree d and such that f ^ for any function g in the 
algebraic closure K o/K and m \ q — 1. Let uj Then 



Y,*uj{P)il{f{P)) 
where ^* indicates that the sum is over P G E{¥q) such that f{P) 7^ 



00. 



Lemma 5. Under the assumptions of Lemma let H C E{¥g) be a 
subgroup. Then 



Y,*u;{PMf{P)) 



P&H 



< 2dy^ 



where ^* indicates that the sum is over P & H such that f{P) 7^ 00. 

Proof. Let Qh ^ i7 be the subset of characters ^ such that H C ker('i9). 
Then, Qh is dual to E{¥g)/H, so by the orthogonahty property of 
characters of abehan groups, we have 



P ^H. 



Therefore 



PeH 



P&E{¥g) -senH 



wiT. i H *^-u:{PHf{p))] 

' &enH \P€E{¥g) J 



Applying Lemma HI we obtain the desired result. □ 

5. Main results 

Here we estimate the incomplete sum Sp{N). Following the standard 
approach we start with estimates of complete sums twisted with an 
additive character. 

As before, let R = 2r where r is the order of P. Then for an integer 
a we define the sums 

R 

Tp{a) = Y,x{'^n{P))eR{an). 

n=l 
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which can be of independent interest. 

Theorem 6. For any integer a, we have 

Tp{a) = O {R'/\^'^\\ogqY/^) . 

Proof. Let a G Z. Fix an integer L > 3 and let C denote the set 
of odd primes I such that i < L and i \ R. Since R has at most 
0(\ogR) = O(logg) prime divisors we see, say, for 

(2) L>ilogqf 

and sufficiently large q we have 

L 



(3) 



21ogL 

Let £ G £. As n runs through the all residue classes modulo R, so 
does £n. Since both sequences x(^n(-P)) and eij(an), n = 1, 2, . . ., are 
periodic with period R, we have 

R 

Tp{a) = J2x{'^in{P))eR{aen). 

n=l 

We average over all choices of £ E C and set 

R 



Then we have 
(4) 



iec n=l 



Tp(a) 



W. 



To estimate W, we change the order of summation, and then apply 
the Cauchy inequality: 



\wf < rJ2 



n=l 



Now we apply Lemma [21 



R 



\wf < rY^ 

n=l 
R 

n=l 



J2 xi'^iinP))x{^n{PY")eRia£n) 



eec 



Since x is the quadratic character and i is odd, we have 

(5) Xi^niPf) = Xi^niP)). 
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Therefore, 



R 



n=l 
R 

n=l 



Y,x{'^i{nP))en{aen) 



tec 



lac 



Expanding the square and switching the order of summation again, 
we obtain 

R 

Wf<PY. x{'^iMP))^R{(^hn)x{^,,[nP))Qn{-ai2n) 

n=\ Ix.t-idC 
R 

We now turn to bounding the inner sum. 
For l\ = l2 = C-i we have the trivial estimate 

R 

Y,x{'^i{nPf)<R- 



n=l 



For ^ £2 we use Lemma [51 The degree of ^^(P) (considered as 
a function in the function field of E) is {i"^ — l)/2, so the degree of 
^,,{P)^e,{P) is 



< V 



1. 



It is also easy to see (by examining its zeros) that i^{P)^ i^{P) is not 
a square of another function from the same function field. Since by 
Lemma |3] we have R \ 2r, we see that 

R 

Y,x{'^tMP)'^iAnP))eR{a{£,-i2)n) = 0(1^/^). 

n=l 

Thus, we obtain 

\Wf = O {R^4fC + RL^^i^cy) . 

Substituting this bound in (jl]) and using ([3]), we derive 

Tp(a) = O (i?(#£)-^/' + q'/^R'^'L) 

= O {RL-^/\\ogLf^ + q^'^R^/^L) . 

We no choose L = |_i?-'^/^g^-'^/^(logg)^/^J , thus ([2]) is satisfied, pro- 
vided that q is large enough which imphes the desired estimate. □ 
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We remark that Theorem [6] is nontrivial if i? > for a fixed 

e > (we recall that the largest possible value of R is of order q). 

Now using the standard reduction between complete and incomplete 
sums, see [3i Section 12.2], we obtain 

Corollary 7. For any N < R, we have, 

Sp{N) = 0{R'>/^q^/^\\ogq)^/^). 



6. Comments 

In principle, our approach works for sums of multiplicative characters 
of arbitrary order d \ q — 1. In this case. Lemma |3] needs some obvious 
adjustments. Furthermore, the set C in the proof of Theorem [6] has to 
be chosen to consist of primes i = ±1 (mod ci), so dSD still holds. For 
any fixed d the final result is the same, however its strength diminishes 
as d grows, and for example, for characters of order q — 1 leads only to a 
trivial estimate. Although we do not see any immediate cryptographic 
significance of such a result, obtaining nontrivial estimates of character 
sums with arbitrary multiplicative characters is a natural and interest- 
ing question. A related open question is obtaining nontrivial estimates 
on similar sums of additive characters of Fg. In this case, there is no 
natural analogue of (|5]) and thus our approach does not apply at all. 

Finally, we mention an algorithmic question which can be of crypto- 
graphic relevance. Given a black-box which for every integer n outputs 
x{'^n{P)), the question is to recover the "hidden" point P. This admits 
several modifications depending whether the curve E and the field 
are known or not. This question is analoguous to the more studied cryp- 
tographic problem of recovering a hidden polynomial f{X) G Fg[X] 
given a black-box which outputs x(/(^)); see [7] and references therein. 
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